Finding the Needle in the NBEstack

I’m a huge fan of the Nessus vulnerability scanner.  It’s got plug-ins for anything you could ask for, runs great in a Linux environment, and outputs a ton of information (thanks to thousands and thousands of checks).  While all that information is a good thing, sometimes you are just looking for specific issues or findings across a network.  A quick way I like to strip out interesting information is grepping through the output files for certain Nessus ID’s.  Here is a quick list of interesting plug-ins:

• 16314 – Lists suspicious and unwanted software.
• 36217 – Detection of the Conficker worm.
• 23938 – Locates Cisco routers with missing / default passwords.
• 38153 – A nice summary of missing Microsoft patches.
• 11936 – Identification details about the machines OS.
• 10673 – Locates SQL servers with default / blank SA accounts.
• 10396 – Details about SMB shares.
• 23910 – Locates modified HOSTS files – can be an indication of a virus or malware.

To search for these, I usually do a quick grep nessus-id *.nbe and then use cut with custom delimiters to filter out the IP addresses and other pertinent information.